The Great Firewall Swindle

Tuesday 28 September 2021
Bob Leggitt
"This is what the broad tech industry wants. Products that are useless for 99% of people. Because if the firewall works properly, the tech industry doesn't get its saleable data."
Opensnitch Firewall
A good, communicative firewall at work. This is Opensnitch reporting Systemd Timesync's attempt to contact ubuntu.com in Bodhi Linux. This is one of the network connections made without user consent or knowledge in Ubuntu-derived Linux operating systems. You can argue that the connection is in this case harmless or useful, but it's nevertheless an instance of the computer making its own networking decisions, on the quiet. The user's awareness should never be bypassed in this way. Without a good firewall, who's in control?

It amazed me, about eighteen months back when I first began my shift from Windows into the world of Linux, that so many in the Linux community said firewalls were unnecessary. It amazed me that so many Linux distributions came with the firewall deactivated. It amazed me that the most common Linux default firewalls are uncooperative command-line routines. It wasn't, so it turned out, that there were no good options. It was that the package managers were choosing not to include one.

I've loved the improvements in quality of digital life that Linux has brought me. For the first time in many years I've felt that being 100% in control of my computers is within reach. But the firewall situation struck me as odd. Here was a breed of operating system that traded on improved privacy and delivered generally good transparency as compared with the ironically ever-opaque Windows. And yet Linux rarely came ready to run with the most basic privacy protector of all - a firewall that any home user could control. Was this a conspiracy?

Whatever the truth, there are now "experts" across the whole tech spectrum either a) trying to talk us out of using firewalls, or b) recommending firewalls that won't work for 99% of home users. Why? [Puts on tinfoil hat]… Because firewalls obstruct the surveillance machine and the tech industry wants unfettered access to our activity. Do not listen to these incentivised or brainwashed stooges. Firewall your computer(s) to the teeth, whichever OS you're on.

"It looks as if [the firewall] is doing its job silently and intelligently. But the reality is it's most likely not doing anything at all."

WHAT IS A FIREWALL'S ROLE?

Firewalls have traditionally been known as security features, blocking the access of would-be intruders who seek to break into your device.

But the truth in the 2020s is that the nature of intrusion has long since changed, and the old model of "breaking in" is no longer the preferred method. Intrusion today normally involves enticing the public into downloading and installing something they actually want or need - say, a browser - then using that product to spray inside information from within the device, back to a range of actively listening data collection points. And then selling the data.

This is a form of theft, because much of the data is being taken without the subject's knowledge or permission. The issue isn't whether the data is personally identifiable or not. The issue is that the data has monetary value. Once someone starts taking something with monetary value, on the sly, and then profiting from what they've taken, they're stealing. So for the user this is not just a matter of privacy. It's a matter of security. Prevention of theft.

For the intruder, gaining authorised access is far more effective and much easier than trying to "break in" unauthorised. And because most spyware is now considered legitimate or essential software, we're far less alert to the violation.

However, the typical firewall has not in any way adapted to prevent the practice of outbound data-spraying. How much of this out-of-control backchat do you think your firewall is blocking? If you don't know, chances are the answer is none.

And the data-crazed tech industry does not want to talk about this. If everyone had a good firewall blocking the spew of outbound data from all their local programs, it would vastly impact the gravy train. It would lose the tech industry a fortune in saleable data. It's not hard to see why they all want us to think, at the least, that outbound firewalling is unnecessary.

INBOUND AND OUTBOUND

Firewalls have the capacity to block the passage of network traffic in two directions. Inbound - that is, traffic trying to get into your computer. And outbound - that is, traffic trying to get out of your computer.

It's a common misconception that the only traffic we need to worry about is the inbound. The traffic trying to get into our computers. Because that's gonna be the baddies, right? The traffic trying to get out is going to be us, and why would we want to stop ourselves reaching into the yonder of cyberspace?… That's the common understanding of inbound/outbound firewalling, but it's wrong, and it's dangerous.

It's true that we need a route out of our own computers if we want to access the internet. And the tech industry loves this simplistic "inbound-bad / outbound-good" vision of firewalling, because it completely overlooks the industrial-scale, on-the-sneak data-spraying that occurs when we fail to stop installed programs from dialling out.

But the reality in the 2020s is that the local programs installed on most modern PCs combine to form an almost endless projectile vomit of chat back to their respective headquarters and a range of "carefully selected associates". Any excuse to contact Big Brother, and those innocent-faced progs are blabbering away into cyberspace like a supergrass in cuffs.

"I sat for a while just blocking things as popup after popup reported what Firefox was up to on the sneak."

As surveillance gets evermore aggressive, allowing all and sundry to constantly dial out from your computer extends beyond just a privacy issue, and into the realm of danger. As "telemetry" routines continue to broaden the scope of what they collect, the danger of them accidentally collecting login or banking information grows. And that's assuming they're above board. Download a dodgy app and it may even deliberately seek your passwords and bank info. If you're properly firewalled, a rogue app might still gather that data, but it can't send it to anyone. That's a vital protection. But it's a vital protection many home users do not have.

The tech industry's completely blasé attitude to outbound firewalling gives us another perfect illustration of how fake their "OMG security tho!" mantra really is. They will scream purple-faced about "protecting our security" when it gives them a means to control us or collect from us. But when it stands in the way of their precious data flow, suddenly it ceases to matter.

Which is worse: blocking browser updates for a few weeks, or running a computer with completely open outbound network access? If you listen to the tech industry, missing a browser update is a massive problem, while zero outbound firewalling is not a problem at all. Think seriously about that for a moment. It's not really our security they're interested in, is it?

HOW A FIREWALL SHOULD WORK

A firewall should block all network connections by default - both inbound and outbound - for privacy and security reasons.

Then, every time a network connection is attempted, the firewall should inform you, stating the name of the program trying to connect, and the destination it's trying to connect to. It should give you the option to allow or decline the connection, on either a temporary or permanent basis, according to your choice.

A brilliant firewall, like Opensnitch for Linux, will even provide options on whether you block the program trying to connect, or the specific domain/subdomain it's trying to connect to.

For instance, it might say "Firefox browser wants to connect to getpocket.com", and present buttons which either allow or decline that connection. With Opensnitch and other great firewalls, you can even elect to block connections to, say, getpocket.com, but still use the browser. One or two button clicks and you're rid of that connection attempt for good. This is what real, user-orientated firewalling is all about.

Although a serious firewall's popups can get a bit annoying within the first day of use, the ability to permanently allow or decline specific connections means that the system knows nearly all of your daily preferences within 24 hours. The firewall then goes quiet, silently blocking or allowing the things it's learned to block or allow.

This system is not rocket science. It's been around in basic form since the 1990s, and it's by far the best system there is. The reason so many firewalls refuse to use it today, I would suggest, is that it blocks the transfer of data to a huge number of hidden collection points, and it very quickly reveals the truth behind corporate tech's empty privacy claims. Obviously, this is not something the tech industry is going to approve of.

"If you're properly firewalled, a rogue app might still gather that data, but it can't send it to anyone. That's a vital protection. But it's a vital protection many home users do not have."

HOW THE MOST COMMON FIREWALLS ACTUALLY DO WORK

So the common firewalls, including Windows Firewall and UFW in Linux (if it's even activated at all), block inbound connections, but allow nearly all or completely all outbound connections. This type of firewall is also typically uncommunicative. It doesn't tell you anything. It leaves you to guess what should be blocked or allowed.

If you enable outbound firewalling and get the permissions wrong, you might see a piece of software refusing to work, but you won't see a message from the firewall explaining exactly what it's blocked. You may not be able to identify what's wrong, and the most common course of action in this scenario is to just return the firewall to its default settings - i.e. disable outbound firewalling again. This is what the broad tech industry wants. Products that are useless for 99% of people. Because if the firewall works properly, the tech industry doesn't get its saleable data.

Inbound connections that don't come via a pre-authorised browser are rare for most home users, so it looks as if the above type of firewall, set to its defaults, is doing its job silently and intelligently. But the reality is it's most likely not doing anything at all. Outside of the browser there's nothing trying to get in, and everything is free to dial out at will. So what is the firewall blocking? Precisely nothing.

This incarnation of the firewalling process has been normalised, but it's still sobering to see something most people won't properly understand being touted as a workable solution. It's hard to see how some of these firewalls could have been made any more difficult for the average person to use.

BUT LINUX IS INHERENTLY SAFER THAN WINDOWS, RIGHT?

The cliche we hear is that Linux doesn't have "open sockets" like Windows, and therefore it's safe enough not to need a firewall. But this is a misleading way to look at the issue. The reality is that if you don't firewall a Linux-based OS, network connections will be established behind your back, on the sneak.

Whether or not the people behind your Linux package think it's okay for "approved programs" to "phone home" is beside the point. The point is it's your computer, not theirs, and you should decide who is allowed to do what on it. If you're not deciding that, you don't own your computer.

"We've been well and truly gobbledegooked on firewalls."

IN PRACTICE

Because of its extensive options on how connections are blocked, and for how long, Opensnitch for Linux is the best free firewall I've used. The best way to get it installed is to start at the developer's Wiki page and carefully read the instructions. It might take a short while to check out exactly how the installation process works on your system, but that will be time very well spent…

I installed Firefox into the Ubuntu-based Bodhi Linux, and used the browser for a period with my standard privacy adjustments and no active firewall. I found the browser slow and clunky compared with Ungoogled Chromium.

Then I powered up Opensnitch and launched Firefox again. I sat for a while just blocking things as popup after popup reported what Firefox was up to on the sneak.

I blocked a content signature CDN at Mozilla.net. Two connections relating to Pocket - one heading for Pocket.com. I've never used Pocket. I blocked the push notifications "service" - which tried to connect even though I had push notifications disabled. I blocked a settings "service" connecting to Mozilla.com…

I stress, all of this came after I'd made a wide range of standard privacy adjustments to Firefox, including rigorous disabling of all telemetry and updates, using the available settings, config parameters, and a separate Policies file to block any extraneous backchat I could feasibly think of. And yet, the browser still couldn't stop trying to phone home, phone Pocket, etc. These products are aggressive spyware. There's no other way it can be phrased.

And that's why we need good, communicative firewalls.

Notably, after blocking this range of unauthorised connection attempts, I saw an increase in the speed of the Firefox browser. Most noticeably a reduction in startup time. Empirical evidence that the bloat of unnecessary spyware really does slow your applications down.

IS THERE A CONSPIRACY?

So, do I believe the conspiracy theory that Big Tech works to suppress the spread of truly effective firewalls? Yes. Absolutely. Call me a tinfoil-hatter. I don't care. Think of the money at stake. Why would Big Tech NOT want to suppress firewalls that block their sly data-streaming regime?

Query a search engine for the best firewalls, and chances are that not one front-page post will cite the actual best firewall. Most of the "top choices" are either too hard for the average home user to set up for proper selective permissions, or are just set to an inept default that allows more or less anything to do anything.

I searched 'best firewall for Linux', and didn't see Opensnitch mentioned at all. Conversely, I saw IPtables mentioned in nearly every post. Seriously? You seriously think the average home user is going to sit over a command line terminal telling a computer which packets to transmit, in code syntax? You seriously think people would want that more than they would want a simple graphical tool that does all the work, tells them exactly what's trying to do what, and just lets them approve or decline the connections?

We've been well and truly gobbledegooked on firewalls. The most visible products are the most useless, most difficult-to-use blobs of sullen, uncooperative idleware available. And we've been conditioned to shut our mouths and pretend we can be bothered to harness them, while they sit around with their digital feet up, letting literally every executable on our drive do its worst.

Ultimately, if you've never seen popups from your firewall, it's probably not doing its job. Get one that shows you popups, tells tales, and keeps you informed. Because firewalls that don't communicate are inadequate for the average home user.